Improve SARIF grouped-by-rule alerts processing

Author: data-douser

CHANGELOG.md

@@ -21,18 +21,18 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 - **Persistent MRVA workflow state and caching** — Introduced a new `SqliteStore` backend plus opt-in annotation, audit, and query result cache tools to support the next phase of MCP-assisted CodeQL development and `seclab-taskflow-agent` integration. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))
 - **Rust language support** — Added first-class Rust support with `PrintAST`, `PrintCFG`, `CallGraphFrom`, `CallGraphTo`, and `CallGraphFromTo` queries, bringing the total supported languages to 10. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
 - **Bug fixes and design improvements from recent evaluation sessions** — Fixed 5 bugs across `bqrs_interpret`, `bqrs_info`, `annotation_search`, `audit_add_notes`, and `query_results_cache_compare`; added `database_analyze` auto-caching and per-database mutex serialization; auto-enabled annotation tools in VS Code extension. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
-- **SARIF analysis tools and cache model improvements** — Added `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, and `sarif_diff_runs` tools for rule-level SARIF extraction, Mermaid dataflow visualization, alert overlap analysis, and cross-run behavioral comparison. Extended cache model with `rule_id` and `run_id` columns; added `ruleId` filter to all cache tools; auto-decompose `database_analyze` SARIF into per-rule cache entries. Added `compare_overlapping_alerts` prompt and updated all SARIF-related prompts with tool recommendations. Extracted shared libraries for database metadata and SARIF rule name resolution. ([#201](https://github.com/advanced-security/codeql-development-mcp-server/issues/201))
+- **SARIF analysis tools and cache model improvements** — Added `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, and `sarif_diff_runs` tools for rule-level SARIF extraction, Mermaid dataflow visualization, alert overlap analysis, and cross-run behavioral comparison. Extended cache model with `rule_id` and `run_id` columns; added `ruleId` filter to all cache tools; auto-decompose `database_analyze` SARIF into per-rule cache entries. Added `compare_overlapping_alerts` prompt and updated all SARIF-related prompts with tool recommendations. Extracted shared libraries for database metadata and SARIF rule name resolution. ([#204](https://github.com/advanced-security/codeql-development-mcp-server/pull/204))
 
 ### Added
 
 #### MCP Server Tools
 
-| Tool                                                                                                                     | Description                                                                                                                                                                                                                                       |
-| ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `annotation_create`, `annotation_get`, `annotation_list`, `annotation_update`, `annotation_delete`, `annotation_search`  | General-purpose annotation tools for creating, managing, and searching notes and bookmarks on analysis entities. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                            |
-| `audit_store_findings`, `audit_list_findings`, `audit_add_notes`, `audit_clear_repo`                                     | Repo-keyed audit tools for MRVA finding management and triage workflows. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                                                    |
-| `query_results_cache_lookup`, `query_results_cache_retrieve`, `query_results_cache_clear`, `query_results_cache_compare` | Query result cache tools for lookup, subset retrieval, cache clearing, and cross-database comparison. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                       |
-| `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, `sarif_diff_runs`            | SARIF analysis tools for rule discovery, per-rule extraction, Mermaid dataflow visualization, alert overlap comparison, and cross-run behavioral diffing. ([#201](https://github.com/advanced-security/codeql-development-mcp-server/issues/201)) |
+| Tool                                                                                                                     | Description                                                                                                                                                                                                                                     |
+| ------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `annotation_create`, `annotation_get`, `annotation_list`, `annotation_update`, `annotation_delete`, `annotation_search`  | General-purpose annotation tools for creating, managing, and searching notes and bookmarks on analysis entities. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                          |
+| `audit_store_findings`, `audit_list_findings`, `audit_add_notes`, `audit_clear_repo`                                     | Repo-keyed audit tools for MRVA finding management and triage workflows. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                                                  |
+| `query_results_cache_lookup`, `query_results_cache_retrieve`, `query_results_cache_clear`, `query_results_cache_compare` | Query result cache tools for lookup, subset retrieval, cache clearing, and cross-database comparison. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                     |
+| `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, `sarif_diff_runs`            | SARIF analysis tools for rule discovery, per-rule extraction, Mermaid dataflow visualization, alert overlap comparison, and cross-run behavioral diffing. ([#204](https://github.com/advanced-security/codeql-development-mcp-server/pull/204)) |
 
 #### MCP Server Resources
 
@@ -42,9 +42,9 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 
 #### MCP Server Prompts
 
-| Prompt                       | Description                                                                                                                                                                                                                                            |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `compare_overlapping_alerts` | Multi-SARIF alert comparison workflow: compares alerts across rules, files, runs, databases, or CodeQL versions with 8-step guided analysis using SARIF tools. ([#201](https://github.com/advanced-security/codeql-development-mcp-server/issues/201)) |
+| Prompt                       | Description                                                                                                                                                                                                                                          |
+| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `compare_overlapping_alerts` | Multi-SARIF alert comparison workflow: compares alerts across rules, files, runs, databases, or CodeQL versions with 8-step guided analysis using SARIF tools. ([#204](https://github.com/advanced-security/codeql-development-mcp-server/pull/204)) |
 
 #### CodeQL Query Packs
 

client/integration-tests/primitives/prompts/compare_overlapping_alerts/basic_comparison/before/monitoring-state.json

@@ -1,6 +1,6 @@
 {
   "sessions": [],
   "parameters": {
-    "sarifPathA": "nonexistent/path/to/results.sarif"
+    "sarifPathA": "client/integration-tests/primitives/tools/sarif_extract_rule/extract_sql_injection/before/test-input.sarif"
   }
 }

server/dist/codeql-development-mcp-server.js

@@ -183301,6 +183301,16 @@ async function evaluateWithCustomScript(_bqrsPath, _queryPath, _scriptPath, _out
 function getRuleDisplayName(rule) {
   return rule.shortDescription?.text ?? rule.name ?? rule.id;
 }
+function collectAllRules(run) {
+  const driverRules = run.tool.driver.rules ?? [];
+  const extensionRules = [];
+  for (const ext of run.tool.extensions ?? []) {
+    if (ext.rules) {
+      extensionRules.push(...ext.rules);
+    }
+  }
+  return [...driverRules, ...extensionRules];
+}
 function extractPrimaryLocations(result) {
   return (result.locations ?? []).filter((loc) => loc.physicalLocation?.artifactLocation?.uri).map((loc) => ({
     endColumn: loc.physicalLocation.region?.endColumn,
@@ -183452,7 +183462,7 @@ function extractRuleFromSarif(sarif, ruleId) {
   if (!run) {
     return { ...sarif, runs: [{ tool: { driver: { name: "CodeQL", rules: [] } }, results: [] }] };
   }
-  const allRules = run.tool.driver.rules ?? [];
+  const allRules = collectAllRules(run);
   const matchingRules = allRules.filter((r) => r.id === ruleId);
   const matchingResults = (run.results ?? []).filter((r) => r.ruleId === ruleId).map((r) => ({ ...r, ruleIndex: 0 }));
   const extractedRun = {
@@ -183596,7 +183606,7 @@ function sarifRuleToMarkdown(sarif, ruleId) {
 function listSarifRules(sarif) {
   const run = sarif.runs[0];
   if (!run) return [];
-  const allRules = run.tool.driver.rules ?? [];
+  const allRules = collectAllRules(run);
   const results = run.results ?? [];
   const toolName = run.tool.driver.name;
   const toolVersion = run.tool.driver.version;
@@ -185038,11 +185048,13 @@ Interpreted output saved to: ${outputFilePath}`;
               try {
                 const sarif = JSON.parse(resultContent);
                 resultCount = sarif?.runs?.[0]?.results?.length ?? 0;
-                const rules = sarif?.runs?.[0]?.tool?.driver?.rules;
-                if (Array.isArray(rules) && rules.length > 0) {
-                  const rule = rules[0];
-                  ruleId = rule.id ?? null;
-                  sarifQueryName = getRuleDisplayName(rule);
+                const run = sarif?.runs?.[0];
+                if (run) {
+                  const allRules = collectAllRules(run);
+                  if (allRules.length > 0) {
+                    ruleId = allRules[0].id ?? null;
+                    sarifQueryName = getRuleDisplayName(allRules[0]);
+                  }
                 }
               } catch {
               }
@@ -189005,8 +189017,7 @@ async function discoverDatabases(baseDirs, language) {
       } catch {
         continue;
       }
-      const ymlPath = join12(entryPath, "codeql-database.yml");
-      if (!existsSync8(ymlPath)) {
+      if (!existsSync8(join12(entryPath, "codeql-database.yml")) && !existsSync8(join12(entryPath, "codeql-database.yaml"))) {
         continue;
       }
       const metadata = readDatabaseMetadata(entryPath);

server/dist/codeql-development-mcp-server.js.map

@@ -13,7 +13,7 @@ import { CLIExecutionResult, executeCodeQLCommand, getActualCodeqlVersion } from
 import { readDatabaseMetadata } from './database-resolver';
 import { evaluateQueryResults, extractQueryMetadata, QueryEvaluationResult } from './query-results-evaluator';
 import { resolveQueryPath } from './query-resolver';
-import { decomposeSarifByRule, getRuleDisplayName } from './sarif-utils';
+import { collectAllRules, decomposeSarifByRule, getRuleDisplayName } from './sarif-utils';
 import { sessionDataManager } from './session-data-manager';
 
 /**
@@ -243,12 +243,15 @@ export async function processQueryRunResults(
               try {
                 const sarif = JSON.parse(resultContent);
                 resultCount = (sarif?.runs?.[0]?.results as unknown[] | undefined)?.length ?? 0;
-                // Extract ruleId and query name from SARIF — single-query runs have exactly one rule
-                const rules = sarif?.runs?.[0]?.tool?.driver?.rules;
-                if (Array.isArray(rules) && rules.length > 0) {
-                  const rule = rules[0] as import('../types/sarif').SarifRule;
-                  ruleId = rule.id ?? null;
-                  sarifQueryName = getRuleDisplayName(rule);
+                // Extract ruleId and query name from SARIF — supports both standard
+                // (driver.rules) and grouped-by-pack (extensions[].rules) layouts
+                const run = sarif?.runs?.[0];
+                if (run) {
+                  const allRules = collectAllRules(run as import('../types/sarif').SarifDocument['runs'][0]);
+                  if (allRules.length > 0) {
+                    ruleId = allRules[0].id ?? null;
+                    sarifQueryName = getRuleDisplayName(allRules[0]);
+                  }
                 }
               } catch { /* non-SARIF content — leave count/ruleId null */ }
             }

server/src/lib/result-processor.ts

@@ -100,6 +100,24 @@ export function getRuleDisplayName(rule: SarifRule): string {
   return rule.shortDescription?.text ?? rule.name ?? rule.id;
 }
 
+/**
+ * Collect all rule definitions from a SARIF run.
+ *
+ * Rules may live in `tool.driver.rules` (standard) or in
+ * `tool.extensions[].rules` (when `--sarif-group-rules-by-pack` is used).
+ * This function merges both sources into a single array.
+ */
+export function collectAllRules(run: SarifDocument['runs'][0]): SarifRule[] {
+  const driverRules = run.tool.driver.rules ?? [];
+  const extensionRules: SarifRule[] = [];
+  for (const ext of run.tool.extensions ?? []) {
+    if (ext.rules) {
+      extensionRules.push(...ext.rules);
+    }
+  }
+  return [...driverRules, ...extensionRules];
+}
+
 // ---------------------------------------------------------------------------
 // Location extraction helpers
 // ---------------------------------------------------------------------------
@@ -325,7 +343,8 @@ export function extractRuleFromSarif(sarif: SarifDocument, ruleId: string): Sari
     return { ...sarif, runs: [{ tool: { driver: { name: 'CodeQL', rules: [] } }, results: [] }] };
   }
 
-  const allRules = run.tool.driver.rules ?? [];
+  // Collect rules from both driver and extensions (supports --sarif-group-rules-by-pack)
+  const allRules = collectAllRules(run);
   const matchingRules = allRules.filter(r => r.id === ruleId);
   const matchingResults = (run.results ?? [])
     .filter(r => r.ruleId === ruleId)
@@ -544,7 +563,7 @@ export function listSarifRules(sarif: SarifDocument): SarifRuleSummary[] {
   const run = sarif.runs[0];
   if (!run) return [];
 
-  const allRules = run.tool.driver.rules ?? [];
+  const allRules = collectAllRules(run);
   const results = run.results ?? [];
   const toolName = run.tool.driver.name;
   const toolVersion = run.tool.driver.version;

server/src/lib/sarif-utils.ts

@@ -206,7 +206,11 @@ export class SqliteStore {
         ON query_result_cache (rule_id);
     `);
 
-    // Migration: add run_id column for multi-run differentiation.
+    // Migration: add run_id column for future multi-run differentiation.
+    // Currently unused (empty string default) — the deterministic cache_key
+    // means repeated runs overwrite prior entries. A future enhancement will
+    // incorporate run_id into the cache key to enable storing multiple runs
+    // of the same query against the same database for comparison.
     this.migrateAddColumn('query_result_cache', 'run_id', "TEXT NOT NULL DEFAULT ''");
   }
 

server/src/lib/sqlite-store.ts

@@ -60,9 +60,9 @@ export async function discoverDatabases(
         continue;
       }
 
-      // Check for codeql-database.yml
-      const ymlPath = join(entryPath, 'codeql-database.yml');
-      if (!existsSync(ymlPath)) {
+      // Check for codeql-database.yml or codeql-database.yaml
+      if (!existsSync(join(entryPath, 'codeql-database.yml')) &&
+          !existsSync(join(entryPath, 'codeql-database.yaml'))) {
         continue;
       }
 

server/src/tools/codeql/list-databases.ts

@@ -113,6 +113,7 @@ export const SarifRunSchema = z.object({
     }),
     extensions: z.array(z.object({
       name: z.string(),
+      rules: z.array(SarifRuleSchema).optional(),
       version: z.string().optional(),
     })).optional(),
   }),